TenantAtlas/specs/069-managed-tenant-onboarding-wizard/tasks.md

description
Task list for feature implementation

Tasks: Managed Tenant Onboarding Wizard v1

Input: Design documents from specs/069-managed-tenant-onboarding-wizard/ Prerequisites: plan.md (required), spec.md (required), plus research.md, data-model.md, contracts/, quickstart.md

Tests: Required (Pest) — runtime behavior changes.

---

Phase 1: Setup (Shared Infrastructure)

Purpose: Confirm repo conventions and entry points before implementation.

• T001 Inventory existing tenant-create entry points in app/Filament/Pages/Tenancy/RegisterTenant.php and app/Filament/Resources/TenantResource.php
• T002 Confirm tenant-plane routing + membership 404 middleware in app/Providers/Filament/AdminPanelProvider.php
• T003 [P] Confirm provider registration location (Laravel 11+) in bootstrap/providers.php
• T004 [P] Review Filament v5 page/resource/testing rules in docs/research/filament-v5-notes.md
• T051 Map spec conceptual capabilities → App\Support\Auth\Capabilities constants (TENANT_VIEW/TENANT_MANAGE/PROVIDER_RUN/TENANT_INVENTORY_SYNC_RUN) and note the mapping in specs/069-managed-tenant-onboarding-wizard/plan.md

---

Phase 2: Foundational (Blocking Prerequisites)

Purpose: Shared data model + operation labeling needed by all user stories.

⚠️ CRITICAL: No user story work should start until these are done.

• T005 Create onboarding sessions migration in database/migrations/*_create_tenant_onboarding_sessions_table.php
• T006 Create TenantOnboardingSession model in app/Models/TenantOnboardingSession.php
• T007 [P] Create TenantOnboardingSession factory in database/factories/TenantOnboardingSessionFactory.php
• T008 Add partial unique index for active sessions in database/migrations/*_create_tenant_onboarding_sessions_table.php
• T009 Add onboarding status columns migration in database/migrations/*_add_onboarding_status_to_tenants_table.php
• T010 Update Tenant model onboarding casts/accessors in app/Models/Tenant.php
• T011 Register OperationCatalog label(s) for any new onboarding verification run type(s) (only if a new type is introduced) in app/Support/OperationCatalog.php
• T012 Register expected duration(s) for any new onboarding verification run type(s) (only if a new type is introduced) in app/Support/OperationCatalog.php
• T052 Add AuditLog coverage tasks for onboarding-sensitive actions using app/Services/Intune/AuditLogger.php (credentials set/rotate, onboarding completed) and ensure action IDs are stable

Checkpoint: Foundation ready — user story work can begin.

---

Phase 3: User Story 1 — Onboard a managed tenant end-to-end (Priority: P1) 🎯 MVP

Goal: Create a guided, resumable, 5-step wizard that creates/updates a Tenant without external calls.

Independent Test: Complete the wizard and confirm Tenant + session state are persisted and resumable.

Tests for User Story 1 (required)

• T013 [P] [US1] Add wizard happy-path coverage in tests/Feature/ManagedTenantOnboardingWizardTest.php
• T014 [P] [US1] Add resume + dedupe coverage in tests/Feature/ManagedTenantOnboardingWizardResumeTest.php
• T015 [P] [US1] Add tenant-duplicate prevention coverage in tests/Feature/ManagedTenantOnboardingWizardDuplicateTest.php

Implementation for User Story 1

• T016 [US1] Implement session persistence service in app/Services/TenantOnboardingSessionService.php
• T017 [P] [US1] Create onboarding wizard page Livewire component in app/Filament/Pages/TenantOnboardingWizard.php
• T018 [P] [US1] Create onboarding wizard view in resources/views/filament/pages/tenant-onboarding-wizard.blade.php
• T019 [US1] Add step definitions + per-step validation in app/Filament/Pages/TenantOnboardingWizard.php
• T020 [US1] Implement start-or-resume behavior in app/Services/TenantOnboardingSessionService.php
• T021 [US1] Ensure session payload excludes secrets in app/Services/TenantOnboardingSessionService.php
• T022 [US1] Implement tenant creation/update (DB-only) in app/Filament/Pages/TenantOnboardingWizard.php
• T023 [US1] Enforce uniqueness by tenant_id (repository “workspace” == Tenant container; tenant_id is the unique external key) in app/Filament/Pages/TenantOnboardingWizard.php
• T024 [US1] Add “credentials required” decision rule config in config/tenantpilot.php
• T025 [US1] Apply credentials-step conditional rendering in app/Filament/Pages/TenantOnboardingWizard.php
• T026 [US1] Ensure secrets never re-render (only “set/missing”) in resources/views/filament/pages/tenant-onboarding-wizard.blade.php
• T027 [US1] Add “Resume wizard” action to tenant view in app/Filament/Resources/TenantResource.php
• T028 [US1] Remove/disable non-wizard tenant creation entry in app/Filament/Pages/Tenancy/RegisterTenant.php
• T029 [US1] Remove/disable TenantResource create flow entry in app/Filament/Resources/TenantResource.php

Checkpoint: US1 complete — wizard works end-to-end, resumable, DB-only.

---

Phase 4: User Story 2 — Run verification checks without blocking page loads (Priority: P2)

Goal: Trigger verification via enqueue-only OperationRun and display stored results (no Graph calls during render).

Independent Test: Load wizard step pages without outbound calls; click Verify → OperationRun created and job enqueued.

Tests for User Story 2 (required)

• T030 [P] [US2] Assert wizard render/mount is DB-only by binding a failing fake GraphClientInterface (or equivalent Graph abstraction) in tests/Feature/ManagedTenantOnboardingWizardDbOnlyRenderTest.php
• T031 [P] [US2] Assert Verify creates/dedupes OperationRun in tests/Feature/TenantOnboardingVerifyOperationRunTest.php
• T032 [P] [US2] Assert permissions step uses stored results in tests/Feature/ManagedTenantOnboardingWizardPermissionsViewTest.php

Implementation for User Story 2

• T033 [US2] Ensure any wizard-triggered verification action is enqueue-only (creates/reuses OperationRun + dispatches job) and never calls Graph during render/mount in app/Filament/Pages/TenantOnboardingWizard.php
• T034 [US2] Wire “Check connection” to the existing provider.connection.check operation (OperationRun type + existing job patterns) and render stored outcome in app/Filament/Pages/TenantOnboardingWizard.php
• T035 [US2] Implement run creation + dedupe for onboarding verification (permissions/RBAC) in app/Filament/Pages/TenantOnboardingWizard.php
• T036 [US2] Create onboarding verification job (Graph calls allowed only inside job via GraphClientInterface + contracts) in app/Jobs/TenantOnboardingVerifyJob.php
• T037 [US2] Dispatch TenantOnboardingVerifyJob only when run is newly created and persist sanitized results to tenant fields in app/Filament/Pages/TenantOnboardingWizard.php
• T038 [US2] Render stored “Granted/Missing” status in resources/views/filament/pages/tenant-onboarding-wizard.blade.php
• T039 [US2] Implement completion criteria check based on stored results in app/Filament/Pages/TenantOnboardingWizard.php

Checkpoint: US2 complete — verification is observable + async; UI shows stored results.

---

Phase 5: User Story 3 — RBAC-UX enforcement and safe access semantics (Priority: P3)

Goal: Enforce 404 vs 403 semantics and ensure UI is disabled+tooltip for insufficient capabilities.

Independent Test: Non-member gets 404; member w/out capability sees disabled UI and server rejects with 403.

Tests for User Story 3 (required)

• T040 [P] [US3] Assert non-member wizard access is 404 in tests/Feature/ManagedTenantOnboardingWizardRbacTest.php
• T041 [P] [US3] Assert member missing capability is 403 on actions in tests/Feature/ManagedTenantOnboardingWizardRbacTest.php
• T042 [P] [US3] Assert disabled UI state is rendered for insufficient capability in tests/Feature/ManagedTenantOnboardingWizardUiEnforcementTest.php

Implementation for User Story 3

• T043 [US3] Wrap wizard actions with UiEnforcement in app/Filament/Pages/TenantOnboardingWizard.php
• T044 [US3] Enforce server-side Gate authorization in app/Filament/Pages/TenantOnboardingWizard.php
• T045 [US3] Ensure wizard page is not registered in nav (entry-point only) in app/Filament/Pages/TenantOnboardingWizard.php
• T046 [US3] Ensure credential mutation actions require confirmation in app/Filament/Pages/TenantOnboardingWizard.php

Checkpoint: US3 complete — RBAC semantics are enforced and regression-tested.

---

Phase 6: Polish & Cross-Cutting Concerns

• T047 Add legacy redirect for /admin/new → /admin/choose-tenant in routes/web.php
• T048 Add/verify onboarding “single front door” UX copy in resources/views/filament/pages/tenant-onboarding-wizard.blade.php
• T049 [P] Run formatter on touched files via vendor/bin/sail bin pint --dirty (targets app/ and tests/)
• T050 Run focused test suite via vendor/bin/sail artisan test --compact tests/Feature/ManagedTenantOnboardingWizardTest.php
• T053 Add at least one positive authorization test (member with required capability can start/resume/verify) alongside the negative 404/403 tests in tests/Feature/ManagedTenantOnboardingWizardRbacTest.php

---

Dependencies & Execution Order

Phase Dependencies

• Phase 1 (Setup) → Phase 2 (Foundational) → User story phases.

User Story Dependencies (graph)

• US1 (P1) → US2 (P2) → US3 (P3)
  • US2 depends on US1 having the wizard + tenant/session persistence.
  • US3 can be implemented alongside US1/US2 but must land with tests.

Parallel opportunities

• Setup: T003–T004 can run in parallel.
• Foundational: T007 can run in parallel with T005–T006.
• US1 tests (T013–T015) can be authored in parallel.
• US2 tests (T030–T032) can be authored in parallel.
• US3 tests (T040–T042) can be authored in parallel.

---

Parallel Example: User Story 1

# Tests in parallel
T013  # tests/Feature/ManagedTenantOnboardingWizardTest.php
T014  # tests/Feature/ManagedTenantOnboardingWizardResumeTest.php
T015  # tests/Feature/ManagedTenantOnboardingWizardDuplicateTest.php

# UI + service split
T016  # app/Services/TenantOnboardingSessionService.php
T017  # app/Filament/Pages/TenantOnboardingWizard.php
T018  # resources/views/filament/pages/tenant-onboarding-wizard.blade.php

Parallel Example: User Story 2

# Tests in parallel
T030  # tests/Feature/ManagedTenantOnboardingWizardDbOnlyRenderTest.php
T031  # tests/Feature/TenantOnboardingVerifyOperationRunTest.php
T032  # tests/Feature/ManagedTenantOnboardingWizardPermissionsViewTest.php

# Job + UI work split
T036  # app/Jobs/TenantOnboardingVerifyJob.php
T035  # app/Filament/Pages/TenantOnboardingWizard.php
T038  # resources/views/filament/pages/tenant-onboarding-wizard.blade.php

Parallel Example: User Story 3

# Tests in parallel
T040  # tests/Feature/ManagedTenantOnboardingWizardRbacTest.php
T042  # tests/Feature/ManagedTenantOnboardingWizardUiEnforcementTest.php

# Enforcement
T043  # app/Filament/Pages/TenantOnboardingWizard.php

---

Implementation Strategy

MVP scope

• MVP = US1 only (wizard + session persistence + single front door).

Incremental delivery

1. Setup + Foundational.
2. Deliver US1 (MVP) and validate independently.
3. Add US2 (enqueue-only verification) and validate independently.
4. Add US3 (RBAC-UX hardening + regression tests).